From cebefdb61365aa649dff38e514161322f34b5442 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Fri, 29 Apr 2016 16:52:05 -0400 Subject: [PATCH] gateway: Configure firewalld Signed-off-by: David Galloway --- roles/gateway/defaults/main.yml | 3 ++ roles/gateway/tasks/firewall.yml | 60 ++++++++++++++++++++++++++++++++ roles/gateway/tasks/main.yml | 5 +++ roles/gateway/vars/packages.yml | 1 - 4 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 roles/gateway/tasks/firewall.yml diff --git a/roles/gateway/defaults/main.yml b/roles/gateway/defaults/main.yml index bbee709..5fdb3fe 100644 --- a/roles/gateway/defaults/main.yml +++ b/roles/gateway/defaults/main.yml @@ -9,3 +9,6 @@ secrets_repo: openvpn_server_name: server openvpn_data_dir: /etc/openvpn/data + +gw_allow_http: "true" +gw_allow_https: "true" diff --git a/roles/gateway/tasks/firewall.yml b/roles/gateway/tasks/firewall.yml new file mode 100644 index 0000000..a72d849 --- /dev/null +++ b/roles/gateway/tasks/firewall.yml @@ -0,0 +1,60 @@ +--- +- name: Make sure iptables isn't running + service: + name: iptables + state: stopped + enabled: false + ignore_errors: true + +- name: Make sure firewalld is enabled + service: + name: firewalld + state: started + enabled: yes + +- name: firewalld | Allow openvpn traffic + firewalld: + service: openvpn + zone: public + state: enabled + permanent: true + immediate: yes + +- name: firewalld | Allow http traffic + firewalld: + service: http + zone: public + state: enabled + permanent: true + immediate: yes + when: gw_allow_http == "true" + +- name: firewalld | Allow https traffic + firewalld: + service: https + zone: public + state: enabled + permanent: true + immediate: yes + when: gw_allow_https =="true" + +# The following two tasks require Ansible v2.1 due to the 'masquerade' +# and 'interface' parameters being new to that version. They only need to be +# run the first time the role is run so it's okay for them to be skipped. +- name: firewalld | Add connection masquerading + firewalld: + masquerade: yes + zone: public + state: enabled + permanent: true + immediate: yes + when: "{{ ansible_version.major }} >= 2 and {{ ansible_version.minor }} >= 1" + +- name: firewalld | Add tun0 to internal zone + firewalld: + zone: internal + interface: tun0 + state: enabled + permanent: true + immediate: yes + when: "{{ ansible_version.major }} >= 2 and {{ ansible_version.minor }} >= 1" diff --git a/roles/gateway/tasks/main.yml b/roles/gateway/tasks/main.yml index 11a52a6..372fd87 100644 --- a/roles/gateway/tasks/main.yml +++ b/roles/gateway/tasks/main.yml @@ -15,6 +15,11 @@ tags: - networking +# Configure firewalld +- include: firewall.yml + tags: + - firewall + - name: Ensure data directory exists file: path: "{{ openvpn_data_dir }}" diff --git a/roles/gateway/vars/packages.yml b/roles/gateway/vars/packages.yml index 2d1f25f..145afd6 100644 --- a/roles/gateway/vars/packages.yml +++ b/roles/gateway/vars/packages.yml @@ -10,7 +10,6 @@ packages: ## VPN-specific stuff - openvpn - easy-rsa - - iptables-services ## monitoring - nrpe - nagios-plugins-all -- 2.39.5